1.3. Special case: setuid and setgid
The setuid and setgid are two attributes that modify the rights of the process created by executing the file. If setuid is enabled when the file is executed by a user, the process has the same rights as the owner of the file during the execution. For the setgid, you have guessed it was a legacy of group rights, not the owner of the file.
To activate, you simply add or remove the flag "s" on the owner or group.
Added setuid
We observe:
Code:
ls-l myfile-rwsrw-r - 1 sl 200 friends myfile Sep 23 4:44 p.m.
Added setgid
Code:
chmod g + s myfile2
We observe:
Code:
ls-l-myfile2 rwxrwsr - 1 sl 200 friends myfile2 Sep 23 4:44 p.m.
1.4. Limit System
This simple and effective solution contains a large limit, the management of rights by user or group.
2. ACLs on Linux (POSIX)
2.1. Contribution
Take a hard case with the soluble system generic rights to illustrate:
Suppose I have a file example.txt, which includes gift ideas for birthdays:
Here are the permission
Code:
example.txt ls-sl ---- 1 rwxrw 120 friends example.txt Sep 23 5:44 p.m
Unfortunately, this belongs to the group "friends". I can not afford to remove the group just for a file, it will exist primarily impacts on other files. Create another group without it? What complications! The solution lies in the addition of users and / or groups with basic rights (rwx). Thus, I can specify an ACL that will remove his right to this users reading, even if it belongs to friends
2.1. Prerequisites
There are two prerequisites:
- The kernel supports ACLs.
- The file system is mounted with the acl option:
from / etc / fstab / Dev/hda6 / home ext3 defaults, acl 0 2
2.2. Attributing LCD
There are two basic commands to manage ACL: setfacl and getfacl
For all examples, we start from a following file:
Code:
sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
setfacl allows you to edit the list of rights monitor. You can withdraw as add. First and foremost, you must initialize a "mask". If the mask does not exist, you can not add ACL rules . Only operations allowed in this mask will be active. So if you put a mask -rw, no person may conduct the execution, even if you allow it. Conversely, if the mask is "rwx" and want to prevent all persons affected by the Write right to perform a write operation, you simply change the mask rx.
Adding a mask total
Code:
setfacl-mm:: rwx myfile
Let this command to examine the syntax of setfacl. The argument-m allows you to add an LCD, unlike x-removal.
Code:
'Type of person': 'someperson': 'right rwx'
Moreover, the second argument holds that structure, there are 2 types of people (outside of the mask "m"): "u" for user and "g" for a group. So to add the user, rights Reading and writing a file:
Mask part
Code:
setfacl-mu: pm:-rw myfile
When you change the permissions of a directory and you want all files in that it has the same rights, use the-R option (for recursive). When I do a ls-l of my file, I realize a small change:
Code:
sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- + 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
The small + indicates that the file has ACL rights. To view the human ACL, use the command getfacl.
Order getfacl
Code:
sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml # owner: sl # group sl user:: rwx user: pm: rw-group:: rx mask:: rwx other:: - -
Lines user:: rwx, sauf ::--- and group:: rx correspond to the usual Unix rights.
You also find your mask: mask:: rwx user and one pm: rw-
Let's see the interest mask. My desire to delete all users (besides me, the owner), the law in writing. I remove the write permission in the mask.
Changing Mask
Code:
sl @ testuser: / home / Test $ setfacl-mm:: rx test.xml sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml
# owner: sl # group sl user:: rwx user pm: rw-# effective r - group:: rx mask:: rx Other ::---
Note the actual line #, which tells us that after applying the mask, the real rights of pm are right: reading. Without the mask, I should be removed for each user right in writing. If I want to remove LCD pm straight on this file:
Deleting a user
Code:
sl @ testuser: / home / TEST $ setfacl-xu pm test.xml sl @ testuser: / home / TEST $ getfacl test.xml getfacl test.xml # file: # test.xml owner: sl # group sl user: : rwx group:: rx mask:: rx Other ::---
And it becomes a regular user subjects to classical rules. You can also delete all of the rights of an ACL file.
More ACL
Code:
sl @ usr: / home / TEST $ setfacl-b @ sl test.xml usr: / home / TEST $ getfacl test.xml # file: # test.xml owner: sl # group sl user:: rwx group:: rx Other ::---
3. Conclusion
Rights Management Unix generic form should be well known to all, first for security issues but also privacy, partly because it is fundamental in the handling / using files. Today it is used in Linux and even other UNIX ACLs are yet to implement a simple and quite at hand to bring any administrator or user. I strongly advise you to put in place at least initially at the / home, what kind of rights is often appreciated by users.
Bookmarks